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Author's Abstract 



The weakest liberal precondition and strongest postcondition predicate transformers 
are generalized to the weakest invariant and strongest invariant. These new predicate 
transformers are useful for reasoning about concurrent programs containing operations 
in which the grain of atomicity is unspecified. They can also be used to replace 
behavioral arguments with more rigorous assertional ones. 



Capsule Review 

It is widely recognized that reasoning, either formally or informally, about concurrent 
programs is harder than reasoning about ordinary sequential programs. At any point in 
the execution of any thread of control it is potentially possible for shared variables to 
be written by another thread, invalidating conditions that have just been established by 
the first thread. 

The standard approach to verifying concurrent programs is to divide the execution of 
each thread into a series of atomic actions, and to show that all possible interleavings of 
the atomic actions of the various threads are guaranteed to produce correct results. This 
report introduces a new method for verifying concurrent programs without specifying 
the grain of atomicity of operations. It requires instead only that certain invariants of 
the operations be known. For example, a statement like a :— b + c typically consists 
of several atomic actions (particularly if a, b, and c are long integers and cannot be 
read or written atomically by the hardware), but it may be assumed that execution of 
the entire statement or any part of it leaves invariant the value of any variable d distinct 
from a, b, and c. 

From a theoretical standpoint, the verification method introduced in this report is 
interesting in that it makes it possible to verify concurrent programs without precisely 
specifying the decomposition of statements into atomic operations. From a practical 
standpoint, this means that programs can be analyzed at a coarser grain than that of 
atomic operations. 

The tools developed here are by no means a panacea. Verification of concurrent 
algorithms is still a tricky business, requiring careful attention to detail, as study of 
the examples in the text will indicate. However, by allowing the analysis to be done 
at a coarser grain, these tools can reduce the number of steps (and consequently the 
temptation to skip some steps) needed for verification, making the process somewhat 
less arduous (and error-prone) than it has been in the past. 

Jim Saxe 
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1 Introduction 



Partial correctness is a relation between the program states before and after execution 
of an entire program. For reasoning about concurrent programs, the appropriate gener- 
alization of partial correctness is invariance, which is a relation between the program 
states before and after the execution of each atomic operation of a program. The ap- 
propriate generalization of the Hoare triple {P} S {Q} is the assertion that S leaves a 
predicate / invariant [13]. Because the invariant / describes the program state during 
execution, it must depend upon the control state as well as on the values of ordinary 
program variables. 

The predicate transformers wlp (the weakest liberal precondition) and sp (the strongest 
postcondition) for proving partial correctness properties of sequential programs were 
developed in the early 1970's by de Bakker and others [3, 4] and popularized by 
Dijkstra [5]. Here, we generalize them to the predicate transformers win (the weakest 
invariant) and sin (the strongest invariant) for proving safety properties of concurrent 
programs. Some of the ideas presented here originally appeared in [12], but with a 
different notation. 

The wlp and sp operators are useful because they allow one to encode partial correctness 
information in a predicate. A predicate containing the wlp or sp operator can be used 
in a program annotation to prove a partial correctness property. While it is well known 
that the ability to express such predicates is necessary for a logic of Hoare triples to 
be complete [1], the practical utility of these predicates in proving partial correctness 
properties is not widely appreciated. 

In an analogous fashion, the predicate transformers win and sin are useful for proving 
invariance properties of concurrent programs because predicates they can appear in 
an invariant. We have discovered two applications of these predicate transformers: 
reasoning about programs that are not decomposed into their atomic operations, and 
transforming certain behavioral reasoning into more rigorous assertional reasoning. 

We give two examples of reasoning about nonatomic operations. The first shows that, 
when the atomicity of an operation is obviously irrelevant, we can reason directly about 
the nonatomic operation instead of pretending that it is atomic. While not having 
to introduce unnecessary atomicity is aesthetically pleasing, it offers little practical 
benefit. The second example, a correctness proof of the bakery algorithm [9], is 
more compelling. The bakery algorithm is a mutual exclusion algorithm that makes 
no atomicity assumptions about its operations. Our proof reveals that the algorithm 
has a subtle bug — more precisely, its correctness depends upon unstated assumptions. 
Correctness proofs of the bakery algorithm have appeared in [9] and [10], and a proof 
of a variant, requiring the same assumptions, appeared in [11]. The fact that none of 
these other proofs revealed the hidden assumption indicates the utility of the approach 



1 



presented here. 

Our final example illustrates a different use of the predicate transformers. Assertional 
reasoning, based upon invariance, has proved to be more reliable than behavioral 
reasoning, which argues directly about the sequence of operations executed by the 
program. However, there have been examples in which a purely assertional proof 
was more complicated than a hybrid proof — one using a behavioral argument to show 
that the given algorithm is equivalent to a simpler one whose correctness is proved 
assertionally. It appears that the win and sin operators can be used in these examples 
to replace the hybrid proof with a simple, assertional one. This is illustrated by a 
distributed algorithm abstracted from part of a well-known algorithm for computing a 
minimum spanning tree [6]. 

This paper is primarily concerned with applications of win and sin rather than with their 
formal properties. The treatment of the formalism is brief, and no attempt is made to 
develop a complete proof system. We hope to present completeness results in a future 
paper. 

Our approach is semantic rather than syntactic, meaning that we deal not with pieces of 
program text but with the mathematical objects represented by those pieces of text. For 
example, we view the expression x > 0 as a boolean-valued function on the program 
state (a function that depends only on the value of the variable x) rather than as a string 
of characters generated by some grammar. By eschewing syntax, we hope to focus 
attention on the underlying concepts. 

The definitions and properties of the predicate transformers win and sin are independent 
of a programming language. They can be applied to concurrent programs written 
in any imperative language, regardless of whether processes communicate through 
shared memory, synchronous or asynchronous message passing, or remote procedure 
call. However, our major examples involve a generalization of the Owicki-Gries 
method [10, 14], and we describe this method only for programs that can be written in 
a very simple language. 

2 Assertional Reasoning 

We begin with a review of the traditional approach to concurrent program verification 
that will serve to introduce some notation and describe our view of concurrent programs. 
We take as an example the program of Figure 1 . In this program, the body of the outer 
cobegin is executed concurrently as n separate processes, each with a different value 
substituted for /, and the body of the inner cobegin similarly "forks" n — 1 subprocesses. 
(Here and throughout this paper, the range of values of the variables and j is assumed 
to be the set {1, . . . , n). To avoid having to define the meaning of an empty cobegin 
statement, we assume that n > 1 for this program and its variants that appear later.) 
The await operation can be executed only when its condition is true, in which case it 
is equivalent to a skip. Angle brackets enclose atomic operations, and the predicate 
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var num: array 1 ... n of nonnegative integer; 

cobeginD ; = i...„ 

loopncs, : {noncritical section); 

fit: (num[i] := 1 + max{num[j] : j ^ ;'}}; 
<5 ; : cobegin D^,- 

rjij: (await; «; j) 
coend; 
est : (critical section); 
Pi M . (num[i] :=0} 
endloop 
coend 

Figure 1 : A simplified version of the bakery algorithm. 

;' <C j is defined to equal 

(num[j] — 0) V (num[i] < num[j]) V (num[i] — num[j] A i < j) (1) 

Since we are concerned only with safety properties [10], it does not matter what 
fairness assumptions are made about when an operation must be executed. Thus, the 
inner cobegin could be implemented by a for loop, with the subprocesses executed one 
after the other. 

This program is a simplified version of the bakery algorithm — a mutual exclusion 
algorithm described in [9]. The critical and noncritical sections are represented by 
atomic operations, which are assumed not to modify the variables num[i], and the 
original bakery algorithm is trivialized by making the operations /J, and atomic. 

2.1 States and Predicates 

In our semantic approach, a program consists of a set S of states and a set n of atomic 
operations. 1 Here, we describe the set of states; atomic operations are defined in 
Section 2.2. 

States 

A state of a program is a mapping from the set of program variables to some set of 
values — in other words, a state consists of an assignment of values to the program's 
variables. In addition to ordinary program variables, we also introduce control variables 
that describe the control state of the program. 

For simple cobegin programs, such as the simplified bakery algorithm of Figure 1, 
the control variables consist of variables at(%), for every atomic operation £ in n. 

1 If we were considering liveness properties as well as safety properties, a program would also have to 
include fairness conditions. 
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The variable at(% J is a boolean-valued variable whose value is true iff (if and only if) 
control is at operation § . For the simplified bakery algorithm, the variables are num [i], 
at(ncsi), at(Pi), at(r)ij), at(csi), and at(pi), for all i, j — \, ... ,n with i / j. A state 
of this program is an assignment of nonnegative integers to the variables num[i] and 
booleans to the at variables. 

We restrict the set S of states to allow only valid assignments of values to the control 
variables. For simple cobegin programs, we require that the values of the at variables 
do not declare control to be at two places in the same process — except where a nested 
cobegin splits the process into subprocesses. For example, in the simplified bakery 
algorithm, at( t]^) and at(cst) are not both assigned the value true in any state. 

The set S of program states may include ones we don't expect to occur during an 
execution. For example, the simplified bakery algorithm contains states with at(rjij) 
true and num[i] — 0, even though /3, sets num[i] to a nonzero value. Similarly, there 
are states in which at(cs\) and at{cs-i) both have the value true, even though this is 
a correct mutual exclusion algorithm, and control will never be simultaneously at the 
critical sections of two different processes while executing the program. 

Definition of s x v \ ;;; *™ 

Let xi, x m be distinct variables, and let Vi, . . . , v m be values. For any state s, we 
define s*j Z. *™ to be the assignment of values to variables that is the same as s except 
that each x p is assigned the value v p . Note that sj)"! J™ need not be a state if one or 
more of the x, are control variables. 

State Functions and Predicates 

A state function is a function whose domain is the set of states, and a predicate is a 
boolean-valued state function. If P is a predicate, we write s \= P instead of P(s) and 
define |= P to equal Vi eS:s|= P. Thus, |= P asserts that P is true for all program 
states. 

A variable is a state function whose value on a state is the value of the variable in that 
state. In particular, a boolean-valued variable is a predicate. 

State Function Not Accessing a Set of Variables 

We say that a state function / does not access a set {xi, . . . , x m ] of variables iff 
f(s) — f(s*\Z J") for every state s and all values v\, v m such that s*\Z J" isastate. 
Intuitively, / does not access a set of variables iff the value of / can be computed 
without knowing the values of those variables. 2 

2 One might expect that a state function does not access a set {x\ , . . . , x m } of variables iff it does not 
access each singleton set {x, }. However, this is not true. For example, in the simplified bakery algorithm, 
taking any state and changing the value of either at(cs t ) or at{ p; ) by itself cannot yield a valid control state. 
Hence, every state function does not access the set [at(cst )} and does not access the set {at(p t )}. However, 
at(csi) is a state function that accesses (does not not access) the set [atfcst ), at(p t )}. What all this means is 
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A control predicate is a predicate that does not access the set of all variables other than 
control variables. 



2.2 Actions and Atomic Operations 

Actions 

An action is a relation on the set of states — that is, a set of pairs of states. The possible 
executions of an atomic operation are represented by an action £, where (s, t) € § 
means that executing the atomic operation starting in state s can produce state t . 

An action § is deterministic iff for each state s there is at most one t such that (s , t ) e § . 
Any deterministic action can be written in the following form, where the x p are distinct 
program variables, b is a predicate, and the e p are state functions: 



\x m ) 



\e m ) 



(2) 



This describes the set of all pairs (s, s x e ^Z *™ (s) ) such that s \= b equals true. In other 
words, it is an action that can be executed only if b is true, and it has the effect of first 
evaluating the expressions e p and then setting the x p , all in one step. Although we 
do not assume that actions are deterministic, we will not discuss the representation of 
nondeterministic actions. 

For the simplified bakery algorithm of Figure 1, statement ft describes the action 



at(Pi) 



( num[i]^ 
at(Pi) 



(1 + max{num[j] : j ^ ip 
false 
true, for all j ^ ;' 



and statement rjij describes the action 



at(r)ij) Ai«j 



at(rnj) 
at(csi) 



false 



Action Modifying or Not Accessing Variables 

We say that an action % modifies a variable x iff there exists a pair (s , t) in § such that x 
has different values in states s and t . We say that § does not access the set {x\ , . . . , x m ] 
of variables iff § does not modify any of the x p and for any (s, t) € f and any values V\ , 
. . . , v m , if s*\ Z x v m is a state then *™ , ;;; e Intuitively, x does not access a 
set of variables iff § can be executed without reading or writing any of those variables. 

that there is no unique definition of the set of variables that are accessed by a state function. 
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The action (2) does not modify any variables other than the x p ; it does not access any 
set of variables that does not contain the x p and is not accessed by any of the e p . In 
the simplified bakery algorithm, the action described by $2 modifies only the variables 
num[2], at(fii), and at(r]2j) for all j ^ 2; it does not access the set {at(fi 1 ), at(r)n)\ (as 
well as many other sets of variables). 

Atomic Operations 

An atomic operation £ of a program consists of an action together with control predicates 
at(t; ) and after(^ ). Intuitively, at(% ) asserts that control is at a point where £ can be 
executed, and after(% ) asserts that control is at a point that can be reached by executing 
In the simplified bakery algorithm, 

after(ncSi) 
after(Pi) 

after(r)ij) 
after(pi) 

The at predicates are program variables and are not defined in terms of anything else. 

We will identify an atomic operation with its action. Thus, if § is an atomic operation, 
(s, t) e § means that the pair of states (s, t) is an element of the action of Similarly, 
we say that an atomic operation does not modify a variable iff its action does not modify 
the variable. 

Our informal statement, that at ) holds iff control is at § and after( § ) holds iff control is 
immediately after § , is formalized as the following assumption about atomic operations. 

CTL1. For any atomic operation if (s, t) e § then s ^= at(^) and 

t \= after(^). 

For simple cobegin programs like the simplified bakery algorithm, there is a variable 
at(t; ) for each atomic operation § in the set n of the program's atomic operations. For 
programs written in a different language, the at predicates might be defined in terms of 
other control variables. 

2.3 The Hoare Logic of Actions 
Definition of Hoare Triples 

Let § be an action and let P and Q be predicates. We define the Hoare triple {P} § { Q] 
to mean V(s, t) € % : (s \= P) =>• (t \= Q). In other words, {Q} asserts that 

if P is true in state s and executing § in state s can yield state t, then Q is true in 



= at(ft) 
= /\at(Y]ij) 



= at(csi) V I -^at(rnj) A \f at(r\ ik ) J 



= at(ncsi) 
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state t. While this definition is superficially the same as the usual one for ordinary 
Hoare triples, it is different in two respects: (i) § is an action (a set of pairs of states), 
not a program statement, and (ii) the state includes control variables, not just ordinary 
program variables. 

Proving Hoare Triples 

The language-independent rules for reasoning about ordinary Hoare triples [8] apply to 
our Hoare triples as well. Because our states include control variables, we do not need a 
separate axiom or proof rule for every language construct. Instead, we can use the simple 
rule that, if § is the action (2), then {P } § { Q] is equivalent to |= (P A b) =>■ g* 1 ;;; *™ , 
where <2*[ ... *™ is the predicate defined by letting s |= ... ** equal s^... e "^ s) 
for any state s? This rule follows from the definitions of {P) § { Q} and of action (2). 
As an example, the reader can derive \(num[i] > 0) V —<at(r)ij)} r\ij {i <C j] from this 
rule and the definition of ;' 4C j . 

Action Leaving a Predicate Invariant or Unchanged 

We say that a predicate P is an invariant of an action f , or that § leaves P invariant, 
iff {P} § {P} holds. In other words, P is an invariant of f iff any execution of § from a 
state in which P is true yields a state in which P is true. 

We say that f leaves P unchanged iff it leaves both P and ->P invariant, which is true 
iff (5 |= P) = (t \= P) for all 0, f ) G £. 

Properties of Invariance 

We now list some simple properties that are useful for reasoning about invariance, 
where f is an arbitrary atomic operation and P and the P A are predicates. 

AC 1 . If P does not access the set of variables modified by § , then § leaves P unchanged. 

AC2. If § leaves each P h invariant, then it leaves f\ h P h and \J h P h invariant. 

AC3. If |= P =>■ -.flff^j then £ leaves P invariant. 

AC4. | leaves P invariant iff it leaves (afflf J V after{% )) A P invariant. 

Properties AC1 and AC2 follow from the definitions of what it means for an action to 
leave a predicate invariant or unchanged. Properties AC3 and AC4 follow from the 
definition of invariance and assumption CTL1 . 

Remember that an atomic operation f consists of an action together with the control 
predicates at(%) and after(^). Properties of atomic operations that do not mention 
control predicates, such as properties AC1 and AC2, hold for any action. 

3 In a syntactic approach, one would define Q]\ "[ *™ when Q and the e p are formulas rather than state 
functions. Given formulas for Q and the e p , the formula for ge| !!! 5 is obtained by simultaneously 
substituting e p for x p , for p = 1 , . . . , m. 
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2.4 Properties of a Program 



Executions 

An execution of the program consists of a finite or infinite sequence sq, s\, . . . of states 
such that each pair (s m , s m+ \) is in some action of n. 4 In other words, an execution 
is any sequence of states obtained by starting in an arbitrary state and executing pro- 
gram actions. Properties of the program are expressed as assertions about the set of 
executions. 

We do not assume any particular starting state for the execution, so the simplified 
bakery algorithm has executions beginning in a state with all processes at their critical 
sections. In our formalism, the usual assumption that the program starts in a proper 
initial state appears as a hypothesis in the property to be proved. 

We can consider two programs to be equivalent if they have the same set of executions. 
A pair of states is in an action of n iff it is in the union of all the actions of n. (Since 
actions are sets of pairs, the union of actions is just ordinary set union.) The set of 
executions of a program depends only on the set S of states and the union of the actions 
in n. Thus, two programs may be considered equivalent if they have the same set of 
states and the unions of their atomic operations are the same. 

There can be many different sets n that have the same union and thus define equivalent 
programs. For example, suppose a program has an atomic operation § that sends a 
message to some process p and an atomic operation \i that sends a message to some 
other process q. Replacing these two atomic operations by the single atomic operation 
? U/i that sends a message to either p or q results in a new set n that defines an 
equivalent program. (We define at{% U \x) to be at(%) V at(fi) and after(% U [i) to be 
after(% ) V after(fi).) The action ^U/i will be nondeterministic if there exists a state in 
which the program can send a message to either p or q. 

Properties 

A property is a boolean-valued function on the set of sequences of states. The program 
is said to satisfy a property V, written |= V, iff V is true for every program execution. 

If P and Q are predicates, we define P =>■ □ Q to be the property that is true of a 
sequence sq, s\, . . . iff —•(sq |= P) V (Vm: s m \= Q). Thus, |= P =>• □ Q asserts that Q 
is true for every state of every program execution that starts in a state with P true. 

We consider only properties of the form P =>• □ Q. Partial correctness is expressed 
in this form by letting P be the initial condition and Q the predicate asserting that 
the termination condition (which is a control predicate) implies that the answer is 
correct. The mutual exclusion property of the simplified bakery algorithm is expressed 
as P =>■ DQ where P is /\ i at(ncsi) and Q is /\ ( _^ ->(at(csi) A at(csj)). 

4 Since we are concerned only with safety properties, we need not disallow finite sequences that end in 
nonhalting states. 
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Program Invariants 

A predicate is said to be a program invariant iff it is an invariant of every action of 
n, or, equivalently, iff it is an invariant of the union of all actions of n. A predicate 
/ is a program invariant iff |= / =>- It is clear that |= P =>• /, |= / =>• □ and 
^= / =^ Q together imply ^= P =>■ □ Q. Hence, to prove |= P =>• □ Q, it suffices 
to find a program invariant / such that |= P =>■ / and |= / =>• Q. This reduces the 
proof of a safety property, which is an assertion about executions, to reasoning about 
predicates and individual actions. 

2.5 Simple cobegin Programs 

We will describe the Owicki-Gries method only for programs that can be written in a 
simple language of nested cobegins. We now describe these programs and make some 
definitions that pertain only to them and not to arbitrary programs. 

The Programs and Their Control Predicates 

A simple cobegin program is one that can be written in a language consisting of el- 
ementary statements (such as assignment and await statements), concatenation (";"), 
nonterminating loop — endloop statements, and cobegin — coend statements. We re- 
quire that any "loop" keywords must precede every Each elementary statement is 
enclosed in angle brackets, indicating that it represents an atomic operation. 

The control variables of a simple cobegin program consist of the variables at(% ) for all 
its atomic operations § . The after predicates can be defined in terms of the at variables 
by a simple recursion on the program structure; we will not bother giving the general 
definition. 

Atomic Operations Belonging to Different Processes 

We say that two atomic operations belong to different processes iff they occur in 
different clauses of the same cobegin statement. For example, in the simplified bakery 
algorithm of Figure 1, rjij and belong to different processes if j ^ k, while /3, and 
r\ij do not belong to different processes. The Owicki-Gries method is based upon the 
following property of simple cobegin programs. 

CTL2. If atomic operations § and fi in n belong to different processes, then § leaves 
at(\x) and after(fi) unchanged. 

Predecessors 

We say that an atomic operation fi is a predecessor of an atomic operation § iff 
control can reach § by executing \x. In the simplified bakery algorithm, is the only 
predecessor of each j/y, and each rjij is the only predecessor of cs t . Our restriction 
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var num: array 1 ... n of nonnegative integer; 

cobeginD ; = i...„ 

loopncs, : {noncritical section); 

Pi'. (num[i] := 1 + max{num[j] : j ^ /}) {num[i] > 0}; 
5,-: cobegin Dj^,- 
{num[i] > 0} r]^: (await; 4C j) {(num[i] > 0) A (;' 4C j)} 



{(num[i] > 0) A 
ci,- : {critical section); 
Pi'. (num[i] :=0) 
endloop 
coend 

Figure 2: An annotation of the simplified bakery algorithm. 

that a "loop" cannot follow a ";" implies that an atomic operation has more than one 
predecessor only if it immediately follows a "coend". If the body of a loop statement 
consists of a single atomic operation then § is its own predecessor. 

2.6 The Owicki-Gries Method 
Decomposing the Invariant 

One can prove directly that a predicate / is a program invariant by proving {/} § {/} 
for every atomic operation as proposed by Ashcroft [2]. However, in the Owicki- 
Gries method [10, 14], the proof is decomposed into smaller steps by writing / as a 
conjunction of simpler predicates. For our cobegin programs, / is written in the form 



for predicates 1^ and 1'^. Intuitively, / is the predicate asserting that, for every atomic 
operation if control is at § then 1^ is true, and if control is immediately after § then 
/| is true. We represent / as a program annotation, where {/^} is written immediately 
before and {1^} immediately after omitting predicates that are identically true. We 
say that the annotation is invariant iff the predicate / represented by the annotation is 
a program invariant. 

Figure 2 shows such an annotation for the simplified bakery algorithm. For the predicate 
/ defined by this annotation, it is easy to see that 
\= ^atincsi) =3> I, and some predicate calculus reasoning shows that the defini- 
tion of i j implies |= / A/^y ~ , (at(cs i ) A at(csj)). Hence, to prove the mutual 
exclusion property for this algorithm, we need prove only the invariance of /. 



coend; 




(3) 
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The Owicki-Gries Conditions 

One proves the invariance of an annotation by proving the following two Owicki-Gries 
conditions. 

Sequential Correctness: 

(a) For every action § e II: {It}. 

(b) For every action § e II: if n,\ , . . . , fi m are the predecessors of §, then 

Interference Freedom: For every pair of distinct atomic operations 
in n that belong to different processes: {/ M A 1^} \x {/^ } and 

The proof that these conditions imply the invariance of (3) uses properties CTL1, 
CTL2, and AC2, the definition of a Hoare triple, and properties of the control structure 
of simple cobegin programs. 

We urge the reader who is not familiar with the Owicki-Gries method to use it to prove 
the invariance of the annotation of Figure 2. 

3 The Weakest and Strongest Invariants 

3.1 More About Actions 
The Composition of Actions 

Let % fi denote the composition of the actions § and \i, which is defined to be the action 
{(s, u) : 3f : ((s, t) € §) A ((f, u) e fi)}. Thus, is executed by first executing § then 
executing \x, all as a single action. The composition of two actions in n, the set of 
atomic operations of the program, is usually not an element of n. 

The composition %\ ■■■§„, of any finite, nonempty sequence of actions is defined in the 
obvious way, and the composition of the null sequence of actions is defined to be the 
identity action {(s, s) : s e S}. Thus, any element in n*, the set of finite sequences of 
atomic operations in n, is defined to be an action. 

Commutativity of Actions 

We say that § right commutes with [i (or that /x left commutes with iff § fi C ^ . 
Hence, § right commutes with \x iff (s, t) e § and (t, u) e \x imply that there exists a 
state t' with (s, t') e fi and (?', u) e Intuitively, § right commutes with fi iff any 
state reachable from state s by first executing § and then executing \x is also reachable 
from s by first executing \x then executing § . 
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Two actions are said to commute iff each of them right commutes with the other — in 
other words, iff executing them in either order has the same effect. A semaphore action 
P(s) right commutes with a semaphore action V(s) in a different process, but these 
two actions do not commute. 

The following property is a consequence of the definitions of commutativity and of 
what it means for an action not to access a set of variables. 

AC5. Two actions commute if each of them does not access the set of variables modified 
by the other. 

3.2 The Weakest Liberal Precondition 

For any action § and predicate Q, we define the predicate wlp(%, Q) by letting 
s \= wlp(%, Q) equal V? e S: {{s, t) € |) =>■ (t \= Q). The operator wlp is the 
weakest liberal precondition operator [5]. The predicate wlp(%, Q) is the weakest one 
satisfying {wlpg, 0}£{0. Thus, {Q} is equivalent to \= P =>■ wlp($, 0, 
so § leaves / invariant iff |= / =>■ wlp(%, I). If £ is the action defined by (2), then 

Wlp{$, Q) = QelZZ V-ft. 

Our definition of wlp{%, Q) differs from the usual definition in that (i) § is an action 
rather than a program statement, and (ii) our predicates may be functions of control 
variables, rather than just of ordinary variables. For example, CTL1 and the definition 
of wlp imply |= (—•at(^)) =>• wlp(i;, Q) for any atomic operation § and predicate Q. 
This result has no counterpart for the usual definition of wlp. 

We will use the following properties of wlp, where P, Q, and the Q h are any predicates, 
and § and ii are any actions. 

WLPO. |= wlp(£ii, Q) = wlp(^, wlp {pi, 0) 

WLP1. |= f\ h wlpQ, Q h ) = wlp(g, f\ h Q h ) 

WLP2. If |= P =► Q then |= wlp{%, P) =► wlp{%, Q). 

WLP3. If § leaves / invariant and § right commutes with \x, then § leaves wlp(/i, I) 
invariant. 

WLP4. If § leaves P unchanged, then |= wlp(£, P V Q) = P V wlp(£, Q). 

WLP5. If a set of variables is not accessed by § and not accessed by Q, then it is not 
accessed by wlp{%, Q). 

Properties WLP0-WLP2 follow easily from the definition of wlp and are well known. 
Note that in WLP1, h can range over an infinite set of indices. Property WLP3 follows 
from WLPO and the easily derived property that a C p implies |= wlp(/3, Q) =>• 
wlp(a, 0. Property WLP4 can be derived from WLP1 and WLP2, although it is 
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easier to prove it directly from the definition of wlp. Property WLP5 follows from the 
definitions of wlp and of what it means for a predicate or an action not to access a set 
of variables. 

3.3 The Strongest Postcondition 

The strongest postcondition operator, sp, is defined by letting t \= sp(^, P) equal 
3s G S: (0, f) G |) A (s \= P). It follows from this definition that {P}% {Q} is 
equivalent to |= sp(%, P) =>■ Q. 

As observed by de Bakker and Meertens [4], the operator sp is a dual of wlp; for every 
property of wlp there is a corresponding dual property of sp. For example, the following 
are the duals of WLP2 and WLP3. 

SP2. If |= P => Q then |= sp(£, P) =► s/>(§, 0. 

SP3. If £ leaves / invariant and § left commutes with fi, then § leaves /) 
invariant. 

The interested reader can derive these and the duals of the other properties of wlp. 

3.4 Nonatomic Operations 
Operations and Their Control Predicates 

An operation a consists of a set of atomic operations and two control predicates, offer ) 
and after( a ). The set of operations of a contains all the atomic operations that constitute 
cr, and the predicates at(o) and after(a) assert that control is at the entry and exit point 
of cr, respectively. For example, in the simplified bakery algorithm, the operation <5, 
has {rjij : j ^ i] as its set of operations, at(Si) = /\. at(r)ij), and after(Sj) = at(cs,). 

We identify an operation a with its set of atomic operations, writing % e a to denote 
that f is an element of cr's set of atomic operations. We can view an operation as a set 
of actions plus certain control information, so any concept defined for sets of actions is 
also defined for operations. Any property of operations that does not mention control 
predicates holds for an arbitrary set of actions. 

If cr is an operation, we define the control predicate in(a) to equal \Jt €a at(% ), so in(a) 
asserts that control is inside a or at its entry point. We make the following assumption 
about the relation between in(a), after(a), and the control predicates for the atomic 
operations in a. 

CTL3. |= (in(a) V after(a)) = V f6(7 (at(H) V after(^)) 

We identify an atomic operation § with the singleton set }, so an atomic operation 
is an operation consisting of a single action. If § is an atomic operation, then z'nff ) 



13 



is equivalent to at(% ). Therefore, any rules for reasoning about nonatomic operations 
should reduce to rules for atomic operations when in is replaced by at. 

The Action (a) 

For an operation a, we let (a) denote the action consisting of all pairs (s, t) such that 
an execution of a starting from state s can terminate in state t . In other words, (a) is 
the action obtained by considering a to be an atomic operation, where nonterminating 
executions are disallowed. If |= after(a) =>• —•in(a) holds, so a is not a "self-looping" 
operation, then we can define the action (a) in terms of a, at(a), and after(a) by 

(a) = |J {(s, t)ek:(s\= at(a)) A (t \= after(a))} (4) 

When self-looping operations are allowed, the definition of (a) is more complicated 
and is omitted. 

Hoare Triples, wlp, and sp for Operations 

We have defined Hoare triples, wlp, and sp for actions. We extend these definitions 
to operations by defining {P}a {Q} to equal {P} (a) { Q), defining wlp(a, Q) to equal 
wlp({cr), Q), etc. 

These concepts are traditionally defined for program statements. If we view a pro- 
gram statement as an operation, then our definitions are essentially the same as the 
conventional ones — except that our program state includes control information. More 
precisely, if operation a represents a program statement S, and the predicate Q does not 
access the set of control variables, then wlpia, Q) equals wlp(S, Q) V —>at(<7), where 
wlp(S, — ) denotes the traditional weakest liberal precondition operator for statement 
S. 

Some Definitions for Sets of Actions 

We now extend the definitions of some properties of individual actions to properties of 
sets of actions (and hence of operations) by defining them to hold for a set of actions 
iff they hold for each action in the set. A set a of actions is said to leave a predicate 
P invariant iff each action in a leaves P invariant, and to leave P unchanged iff each 
action in a leaves P unchanged. We say that a modifies a variable iff some action in a 
modifies the variable, and that it does not access a set of variables iff each of its actions 
does not access the set of variables. We say that a right commutes with a set of actions 
t iff every action of a right commutes with every action of r; the definitions of left 
commutes and commutes are analogous. 

Properties of Operations 

We will use the following general properties of operations, where a and x are any 
operations and P, Q, and the P h are any predicates. Note that OP1, OP2, and OP5 hold 
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for arbitrary sets of actions, not just for operations. 



OP1. If P does not access the set of variables modified by a, then a leaves P un- 



OP2. If a leaves each Pk invariant, then it leaves f\ h Ph and \J h Ph invariant. 
OP3. a leaves P A —'in(a) invariant. 

OP4. a leaves P invariant iff it leaves (in(a) V after(a)) A P invariant. 

OP5. Operations a and r commute if each of them does not access the set of variables 
modified by the other. 

Properties OP1, OP2, and OP5 are immediate consequences of the correspondingly- 
numbered properties of actions. Property OP3 follows from AC3 and the definition of 
in(o). Property OP4 follows from AC3, AC4, the definition of in(a), and assumption 
CTL3. 

3.5 The Weakest Invariant 
Definition of win 

Let o be a set of actions and let Q be a predicate. The predicate win{a, Q) is defined to 
equal the disjunction of all predicates / such that |= / =>■ Q and a leaves / invariant. 
The operator win is called the weakest invariant operator. By OP2, win(a, Q) is an 
invariant of a; it is the weakest invariant of a that implies Q. The set of actions a 
leaves Q invariant iff |= Q = win(cr, Q). (Since |= win{a, Q) =>■ Q always holds, a 
leaves Q invariant iff |= Q =>• win(a, Q).) 

Expressing win in Terms of wlp 

The win operator can be expressed in terms of wlp as follows. 



Let R denote the right-hand side of (5). To verify (5), we must prove that (i) |= R =>• Q, 
(ii) R is an invariant of a, and (iii) R is implied by every invariant of a. Property 
(i) holds because the empty sequence, which is in a*, is the identity action (, and 
wlpii, Q) — Q. To prove (ii), observe that for any action f of a, WLPO and WLP1 
imply |= wlp(%, R) = /\ x wlp($X, Q). Hence |= R =>■ wlp(%, R), so § leaves R 
invariant. Finally, it follows from WLPO and WLP2 that |= / =>■ wlp(%, I) and 
|=/=>- wlp(X, Q) imply |= / =>• wlp(£X, Q). A simple induction argument then 
shows that if a leaves / invariant and |= / =>■ Q, then |= / =>• wlp(X, Q) for all 
X e a*, which proves (iii). 



changed. 




(5) 
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Let (a*) be {J Xea „ A, the action consisting of all (s, t) such that executing some finite 
number of actions of a starting in s yields t . It is easy to show that |= win(a, Q) = 
wlp{{a*), Q). If a is an operation, so (cr) is defined, then (a*) is a superset of (a). 
While (cr) contains pairs of states obtained only from complete executions of cr, the 
action (cr*) includes pairs obtained from incomplete executions as well. 

Properties of win 

We will use the following properties of the win operator, where P, Q, and the Qh are 
any predicates and a and r are any sets of actions. They follow easily from equation 
(5) and the corresponding properties of wlp. 

WIN1. |= /\ h win(a, Q h ) = win(a, f\ h Q h ) 

WIN2. If |= P Q then \= win(a, P) =>• win(a, Q). 

WIN3. If a leaves / invariant and a right commutes with r, then a leaves win(x, I) 
invariant. 

WIN4. If a leaves P unchanged, then |= win(a, P V Q) = P V win(a, Q). 

WIN5. If a set of variables is not accessed by a and not accessed by Q, then it is not 
accessed by win(a, Q). 

The Predicate Transformer winp 

Of particular importance in verifying programs are formulas of the form win (a, after( a ) =>• Q) , 
where a is an operation. We denote this formula by winp(a, Q), where winp stands 
for weakest invariant of a postcondition. The predicate winp{o, Q) asserts of a state 
s that if control is anywhere in a, then any terminating execution of a starting in state 
s terminates with Q true. Contrast winp(a, Q) with wlp(a, Q), which makes this 
assertion only for a state s with control at the beginning of a . We will use the following 
properties of winp. 

WINP1. |= at(a) A winp(a, Q) = at(a) A wlp(a, Q) 

WINP2. If |= after(a) =>• -^in(a) then |= after(o) A winp(a, Q) = 
after(a) A Q. 

WINP3. If a leaves P invariant, then |= P A winp(a, Q) = P A winp(a, P A Q). 

WINP4. If |= after(a) =>• —•in(a) and a leaves P invariant, then a leaves (in(a) A 
P A winp(a, 0) V (after(a) A P A Q) invariant. 

The validity of WINP1 should be obvious from our discussion of the relation be- 
tween winp and wlp. It can be derived from (4), (5), and the observation that 
|= wlp(\J h % h , Q) = f\ h wlp(^ h , Q). Property WINP2 is proved as follows. 5 

Complicated proofs are broken down into numbered steps. Boxed numbers indicate the statement or 
statements that immediately imply the desired conclusion. 



16 



1. |= after(a) = win(p, after(oj) 

Proof: OP3 and the hypothesis imply that a leaves after(a) invariant. 

2. \= after(a) A winp{a, Q) = win(a, after(a) A 0 

Proof: By 1, WIN1, and the definition of winp, since |= (after(a) A (after(a) =>■ 
0) = after(o) A 0 

\3\ \= after(a) A winp(a, Q) = after(a) A 0 

Proof: By 2 and the definition of win, since OP3 and the hypothesis imply that a 
leaves after(a) A Q invariant, so win(a, after(a) A Q) equals after(a) A 0 

Property WINP3 is proved as follows. 

1. |= winp(o, P A Q) = winp(o, P) A winp(a, Q) 

PROOF:By the definition of winp and WIN 1, since (afterfo ) =>• P)A{after(a) =>■ Q) 
equals after(a) =>■ (P A g). 

2. |= P =>■ winp(a, P) 

Proof: Since |= P =>■ (after(a) =>■ P), WIN2 implies |= iym(cr, P) =>■ winp{a, P). 
But cr leaves P invariant, so |= win(a, P) = P. 

[3] |= (P A winp{a, Q)) =>(f A winp{a, P A 0) 
Proof: By 1 and 2. 

g] |= (P A winp{a, P A 0) =>■ (P A winp(a, 0) 

Proof: By WIN2, |= winp{a, P A Q) =>■ winp{a, Q). 

To prove WINP4, we apply WINP2 to rewrite (mfcrj A P A winp(a, 0) V (after(a) A 
P A 0 as (mfcr j V after(o)) A P A winp{a, Q) and then apply OP2. 

3.6 The Strongest Invariant 

Just as 5/7 is the dual of wZp, we can define an operator sin, the strongest invariant, that 
is dual to win. For any set of actions a and predicate P, sin(a, P) is defined to be the 
conjunction of all invariants I of a that are implied by P. Corresponding to (5), we 
have 

sin(fr,P)= /\sp(k,P) (6) 

Xecr* 

The dual of winp is sinp (a, P), defined to be sin {a, at(cr) A P), where a is an operation. 
We will use the following properties, dual to WIN2 and WIN3, which can be derived 
from (6), SP2, and SP3. 

SIN2. If |= P =^ Q then |= sin {a, P) =^ sin (a, Q). 
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array num[\ . . . n] of nonnegative integer 
array c[l ...n] of boolean 

cobegin D,-=i ...„ 

loopnci,-: noncritical section; 
a,: c[i] := true; 

Pi'. num[i] := 1 + max{num[j] : j ^ ;'}; 
Yi'. c[i] := /a/se; 
5,-: cobegin Dj^,- 

€y-: await ->c[j']; 
?jy : await i j 
coend; 
as,-: critical section; 
Pii num[i] := 0 
endloop 
coend 

Figure 3: The bakery algorithm. 

SIN3. If a leaves / invariant and a left commutes with r, then er leaves sin(x, I) 
invariant. 

3.7 Simple cobegin Programs with Unspecified Atomicity 
The Programs and Their Control Predicates 

We now consider simple cobegin programs containing elementary statements that are 
not atomic operations. These are programs that can be written in the same simple 
language considered above, except without the requirement that every elementary 
statement be enclosed in angle brackets. An example of such a program is the bakery 
algorithm, given in Figure 3. This is essentially the same as the original version in [9], 
though with different notation. It is an extreme example because no atomic operations 
are specified. 

Figure 3 says nothing about the grain of atomicity of the program's operations. State- 
ment Pi could be executed by reading each num[j] one bit at a time, and writing num[i] 
one bit at a time. The individual bits could even be read and written several times. 
Thus, Figure 3 does not describe a single program; it is a specification of a class of 
programs that are valid implementations of the bakery algorithm. Proving a property 
of the bakery algorithm means proving that property for any valid implementation. 

In addition to the ordinary variables num[i] and c[i], an implementation of the bakery 
algorithm will contain hidden variables — variables not explicitly mentioned in Fig- 
ure 3. For example, hidden variables are needed to hold the values of intermediate 
computations when executing # . In the bakery algorithm, the control variables are 
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hidden variables. We can't write an explicit expression for the predicate z'rcfjSJ in 
terms of variables at(t; ) for atomic operations f because Figure 3 does not specify what 
those atomic operations are. Such an expression can be written only for a particular 
implementation, in which the atomic operations are given. 

We let Q denote the set of operations that correspond to the elementary statements and 
tests of the program. For the bakery algorithm, Q, = {ncsi, a,-, p 1 ,-, y,, e,y , tjjj, csi, pi : 
i ^ j}. The set Q is a partition of the set n of atomic operations, since each atomic 
operation of the program belongs to exactly one operation in £2. Of course, the actual 
atomic operations that constitute an element of Q depend upon the implementation. 

We can deduce certain relations between the at and after predicates from the pro- 
gram control structure. For example, in the bakery algorithm, we have |= at(cs,) = 
Ajyti a ft er ( r Hj) an d N (after(rnj) A infest)) =>■ at(csi). We will assume these obvious 
relations without giving a formal method for deriving them. 

Operations Belonging to Different Processes 

The definition of what it means for two arbitrary operations to belong to different 
processes is the same as the definition for atomic operations — namely, that a and r 
belong to different processes iff they occur in different clauses of the same cobegin 
statement. We make the following assumption, which is the generalization of CTL2 to 
arbitrary operations. 

CTL4. If operations a and r in Q belong to different processes, then r leaves at(a), 
in(a), and after(a) unchanged. 

Predecessors 

The definition of one operation being a predecessor of another is essentially the same 
as the definition for atomic operations — namely, an operation p in Q is a predecessor 
of an operation a in £2 iff control can reach a by completing the execution of p. In the 
bakery algorithm, p, is the only predecessor of nest, and each ^ is a predecessor of 
cs t . 

The Semantics of Nonatomic Operations 

To reason formally about programs with nonatomic operations, we must make some 
assumptions about those operations. Our first assumption is that, in the absence of con- 
current execution of other operations, a nonatomic operation has the expected meaning. 
For example, executing a nonatomic assignment x :=2* y when y equals 1 sets x to 
2. Formally, this means that we assume the validity of ordinary rules for manipulating 
wlp formulas involving nonatomic operations. Thus, if a is a nonatomic assignment 
x :— 2 * y, then wlp(a, x — 2) equals (y = 1) V -^at(a). 

What it means to execute a nonatomic operation in the presence of concurrent activity 
is a subtle issue. Consider again a nonatomic assignment x :— 2 * y. If x is not 
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concurrently modified by another operation, must execution of this assignment set x 
to an even value? One can argue that the answer is "yes", since regardless of what 
value is obtained when reading y, multiplying it by 2 yields an even number. On the 
other hand, one can argue that the answer is "no", since (x :— y);(x :— x + y) is a 
valid implementation of x :— 2 * y whose execution could set x to an odd value — for 
example, if another process increments y by 1 in the middle of the execution. 

Deciding what the semantics of x : — 2 * y should be is a problem in language design — a 
topic we wish to avoid. Instead, we just assume that this operation does not modify or 
access any variables we don't expect it to. We can make the obvious assumption that 
x is the only nonhidden variable modified by this operation, and the operation does 
not access any set of nonhidden variables that does not contain x or y. However, we 
also need some assumption about the hidden variables that the operation may modify 
or access. 

Intuitively, we assume that each process has its own local variables that are not accessed 
or modified by any other process. More precisely, we assume that, for each operation cr 
in Q, there is a set of variables that are local to a. If a and r are operations in different 
processes, we assume that they have disjoint sets of local variables. We then assume 
the following rules for reasoning about nonatomic assignment and await statements. 

Assignment Rule A nonatomic operation x :— exp(y\ , . . . , y m ) modifies only x and 
variables local to the operation. The operation does not access any set of variables that 
contains neither x, nor any y p , nor any variable local to the operation. 

Await Rule A nonatomic operation await exp{y\, . . . , y m ) modifies only variables 
local to it. The operation does not access any set of variables that contains neither any 
y p nor any variable local to the operation. 

3.8 The Owicki-Gries Method with Unspecified Atomicity 
Decomposing the Invariant 

We now extend the Owicki-Gries method to permit reasoning about simple cobegin 
programs like the bakery algorithm with nonatomic elementary statements. A safety 
property is still proved by finding the appropriate invariant /, where / is written as an 
annotation. However, the annotation now denotes the predicate 



Intuitively, this predicate asserts that, for each operation cr, if control is in cr then I a is 
true, and if control is immediately after a then I' a is true. Since in(a) is equivalent to 
at( cr) if cr is an atomic operation, (7) is the same as (3) if every operation a is atomic. 




(7) 
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The Owicki-Gries Conditions 

To prove the invariance of an annotation, one proves the following nonatomic Owicki- 
Gries conditions, where J a is defined to be (in(a) A I a ) V (after(a) A I' a ). 

Sequential Correctness: 

(a) Every operation a e Q leaves J a invariant. 

(b) For every operation a e £2 and every predecessor set p\, . . . , p m of a: 

NWAA f /;)=>t. 

Interference Freedom: For every pair of distinct operations o, r in Q that belong 
to different processes: r leaves in(a) A /„ A / t and after(a) Al' a AJ T invariant. 

The proof that these conditions imply the invariance of / is similar to the proof for the 
atomic Owicki-Gries conditions. 

By part (a) of the sequential correctness condition, each operation r in Q leaves J T 
invariant. Therefore, OP2 implies that to prove the interference-freedom condition for 
the pair er, r, it suffices to prove that r leaves in(a) A l a and after(a) A I' a invariant. 
Since a and r are in different processes, r leaves in(a) and after(a) invariant (by 
CTL4). Hence by OP2, to prove this interference-freedom condition, it also suffices to 
prove that r leaves l„ and I' a invariant. 

For an atomic operation the formula {1^} is equivalent to the assertion that 
§ leaves 7^ invariant. Hence, if all operations are atomic, the nonatomic sequential- 
correctness condition is equivalent to the atomic Owicki-Gries condition. If a and 
r are atomic operations, the presence of the in(o) and after(a) conjuncts makes this 
nonatomic interference-freedom condition somewhat weaker than the atomic Owicki- 
Gries condition. 



4 Applications 

4.1 The Single- Access Rule 

It is usually assumed that an operation may be treated as atomic if it contains at most 
one access to a shared variable. We call this assumption the single-access rule. It was 
first published by Owicki and Gries in [ 1 4] , but probably qualifies as a folk theorem [7] . 
In the traditional method of reasoning about a concurrent program, one first applies the 
single-access rule to replace the program with one containing larger atomic operations 
and then applies the atomic Owicki-Gries method to the new program. We will indicate 
with an example how the win formalism allows one to use the nonatomic Owicki-Gries 
method to reason about the original program without using the single-access rule to 
change the grain of atomicity. 



21 



var x, y: array 1 ... n of integer; 
to: integer; 

cobegin D, = i...„ a,: ( to := max(m, x[ij) ; 

y[i]:=x[i] ){m>y[i]} 

coend 

Figure 4: Annotation of a program obtained with the single-action rule. 

var x, y : array 1 ... n of integer; 
to: integer; 

cobegin D, =i...„ (m :=ma\(m, x[i])) {m > x[i]}; 
{winp(\J/i,m > y[i])} r/r,-: :=x[;] {m > y|>']} 

coend 

Figure 5: Annotation of the original program. 

The single-access rule is based upon the assumption that any access to a shared variable 
is atomic, which may not always be the case. (For example, the variable may be 
implemented as two words of memory, with access to each word being a separate 
action.) A more precise formulation of the single-access rule is that if 6; §; x[r appears 
in a program, § is atomic, and 9 and xjf are operations that do not access any set 
of variables that are not local to the process containing them, then 6\%\if may be 
considered a single atomic operation. 

Any Owicki-Gries method proof of a program transformed with the single-access rule 
can be turned into a proof of the original program. However, proving this result 
in general is rather tedious and requires properties of win and sin that we have not 
introduced. Instead, we illustrate the result with an example — namely, the annotated 
program of Figure 4, which is obtained by applying the single-action rule to combine 

(to :— max(TO, x[i]) ) 
f t : y[i] := x[i] 

into the one atomic operation a, . (In this program, m is the only nonlocal variable.) 
It is easy to prove the invariance of this annotation, from which one can deduce that 
to > max(y[l], . . . , y[n]) holds upon termination. 

Instead of applying the single-action rule, we apply the nonatomic Owicki-Gries method 
directly to the annotated program of Figure 5. We give a more detailed proof than is 
warranted by the example in order to illustrate the decomposition into simple steps that 
is the hallmark of the Owicki-Gries method. 
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Proof of Sequential Correctness — (a) 

We must show that every operation a leaves J a invariant. (Recall that J a equals 
(in(a) A I a ) V (after(a) A /^).) There are two cases to check: a — and a — t/t,-. 

An atomic action <r leaves J a invariant iff {I a } a We must therefore prove 
{true} {m > x[i]}, which follows from the usual rules for Hoare triples. 

xjfi : The invariance of follows immediately from WINP4 (substituting true for 
P)- 

Proof of Sequential Correctness — (b) 

We must show that for every operation a: if p\, . . . , p m are the predecessors of er, then 
|= at(a) A f\ p I' p I a - Again, there are two choices of a to consider. 

: This condition is vacuous, since has no predecessors. (Formally, the condition 
holds because the conjunction of an empty set of predicates equals false) 

i/r,-: Since is the only predecessor of i/^, we must prove 

|= {at(tjfi) A (m > x[i])) =£• winp{i]/i, m > y[i]) 

This formula follows from WINP1, since a simple wlp calculation shows that 
at(-ijfi) A wlpi^/i, m > y[ij) equals at(-^i) A (m > x[i]). 

Proof of Interference Freedom 

For each operation r and each operation er in a different process from r , we must prove 
that r leaves in(a) A /„ A /, and after(a) A I a A J T invariant. As we observed in 
Section 3.8, it suffices to prove that r leaves l a and l' a invariant. 

Proof for r = % k . There are two choices of o to be checked — namely, f and r/r ( - , with 
; 5* it. 

Operation^ obviously leaves 1^ invariant, since equals frwe. (Formally, this 
follows from OP1.) To prove that leaves 7|. invariant, we must show that 
{m > x[i]} [m > holds, which follows from the usual rules for reasoning 
about Hoare triples. 

t/fi : [T] % k leaves invariant. 

Proof: We must show that {m > y[/]}§,t [m > y[i]} holds, which follows by 
ordinary reasoning about Hoare triples. 

2. commutes with i/*-; . 

Proof: By the Assignment Rule and OP5. 
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3. & leaves —>after(fa) invariant. 
Proof: By CTL4. 

4. | t leaves after(fa) =>■ 7^ invariant. 
Proof: By 1, 3, and OP2. 

[3] It leaves 7^, invariant. 

Proof: By 2, 4, and WIN3, since 1^ equals win(fa, after(fa) =>■ 7^.). 

Proof for x = fa. We have the same two choices for a. 

f,-: Operation ^ obviously leaves 7^ invariant, since 7^ = true. By the Assignment 
Rule and OP1, it leaves 7|. invariant 

r/r,-: The Assignment Rule and OP1 imply that fa leaves 7^. invariant (since i ^ fe). 
The proof that it leaves 1^ invariant is similar to the proof for r = % k . 

4.2 The Bakery Algorithm 

We now prove the correctness of the original bakery algorithm, shown in Figure 3. 
More precisely, we prove that this algorithm is correct if two additional assumptions 
are made about it. Our inability to verify the correctness of the original algorithm 
will lead to the discovery of the necessary assumptions. These assumptions will be 
discussed later, after the proof. 

We have already given rules for reasoning about nonatomic assignment and await 
statements. The bakery algorithm also contains the nonatomic critical and noncritical 
sections, for which we make the following obvious assumption. 

Section Hypothesis In the bakery algorithm of Figure 3, a cs t or ncs, operation 
neither modifies nor accesses any set of variables that contains neither any num [j ], nor 
an Y c [j ; L nor any variable local to the operation. 

4.2.1 Almost a Proof 

In the Owicki-Gries method, the key to the proof is finding an invariant annotation. In 
practice, the annotation is obtained by a method of trial and error that can be viewed as 
an attempt to approximate a weakest invariant. We begin with an informal derivation 
of an invariant annotation for the bakery algorithm. After obtaining the annotation, we 
use the Owicki-Gries method to prove its invariance. This is an idealized presentation; 
in reality, derivation and proof of the annotation go hand in hand. 

We start with the predicate I cs ., which is true when control is in process i's critical 
section. The truth of I CSl must imply that no other process j is in its critical section. 
The structure of the program suggests that we let I CSl equal A/^/ ^„ > so we next 
at 7' . 
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The basic idea of the algorithm is that process ;' enters its critical section only when 
num[i] > 0 and i « j. Mutual exclusion is guaranteed because num[i] > 0 and 
;' <C j imply that j ^ ;'. Letting Ni denote the predicate num[i] > 0, our first guess 
for/;, is Ni A(i « j). 

This choice of V does not satisfy the interference-freedom condition for Pj or pj 
(the condition with a equal to jjy, and r equal to /jy or p,), since num[j] can assume 
arbitrary values during execution of the operations and p,-. In such a case, the 
standard approach is either to strengthen V to imply that control is not in or pj, or 
else to weaken it to be true whenever control is in those operations. Since process j 
can execute Pj after process i has executed jj y -, strengthening 7^.. won't work; we must 
weaken it. We weaken V to require only that 4C j hold while control in process j is 
after and before pj . This is still strong enough to guarantee mutual exclusion when 
we take 7 0j to be A/^i ^ et Q'J ^ e tne P re dicate asserting that if control is in yj, 
Sj , or csj , then i <?C j . Our next guess at 7^, is TV,- A Q y . 

Our choice of 7^ still does not satisfy the interference-freedom condition for because 
Pj puts control at yj without necessarily ensuring that i j . We must strengthen I' m . 
by conjoining a predicate to ensure that i <C j if executing Pj leaves control at yj. 
Since winp(Pj , i <ZC j) is the predicate asserting that ;' 4C j holds upon completion of 
Pj, we conjoin the predicate in( Pj) =>• winp(Pj , i j), which we denote by P[- . We 
thus choose TV,- A 7^. A g y for 7^ . A quick check shows that this V seems to be left 
invariant by every operation of process j . 

The standard approach is to work backwards through the program, so we now choose 
I mj . Since we know nothing about the atomic operations that constitute j/ y -, we are 
forced to let I mj equal winp(rjjj, I' m .) in order to satisfy part (a) of the Sequential 
Correctness Condition. We continue working backwards and now try to find I' e .. . 

Part (b) of the Sequential Correctness Condition states that at(r)ij) A V implies 
I mj , which equals winp(rnj, N t A P[- A Q y -). By WINP1, must therefore im- 
ply wlpiriij, Ni A P{j A Qij). In the absence of concurrent activity, i j must 
hold upon completion of rjij, so executing jj y - makes Q y - true. In other words, 
wlp(r]ij, Qij) is identically true. Since executing >j y doesn't change TV,- or we 
see that wlp{r]ij, Ni A 7^. A Q i} ) equals TV,- A P!-, which becomes our natural choice 
for I' . 

Continuing backwards in this way, we let I flJ equal winp(€ij, and choose I' y , 
so it implies wlp(€ij, N t A P-). Since e y does not change num[i], we see that 
wlp(€ij, Ni A P^) equals TV,- A wlp(€ij, P{j). If wlp(€ij, P{j) were identically true, 
then we could let V equal TV,-, which obviously holds after process has executed Pi 
and Yi- Unfortunately, wlp(€ij , P~) is not identically true; just looking at e y gives us 
no reason to believe that P!- will be true after executing it. 

Simply manipulating formulas will take us no further; we must think about why the 
algorithm works. The predicate P[- asserts that if Pj is currently executing, then running 
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it to completion will set num[j] to a value that makes i <C j true. We expect P[- to be 
true after executing e y - because e y - terminates only when it finds c[j] false, and c[j] is 
true when control is in statement . This suggests replacing P[- by the weaker predicate 
(in(/3j) A c[j]) =>• winpiPj, i 4C j), which we denote P y . A complete execution of 
€ij terminates only when c[j] is false, so wlp{<Eij, Py) is identically true and we can 
satisfy the requirement that I' implies wlp(€jj , Ni A P y ) by letting I' equal Ni. Of 
course, we must also make sure that replacing P-- by P y does not invalidate any of the 
conditions we have already checked. 

The rest of the derivation is straightforward, so we stop now and define the complete 
annotation. First, recall that the predicates Ni, Py, and g y -, for i ^ j, are defined as 
follows: 

Ni = num[i] > 0 

Pij = (in(Pj) A c[j]) =>• winp(Pj , i « j) 
Qij = (in(yj) v in(Sj) v in(csj)) i j 

where in(Sj) is defined to equal V/ in(eu) V in(r} a ). The predicates of the annotation 
are defined below. Each I a that contains a w/«f> is equal to winp(a, I' a ), but WINP3 
has been used to write some of these predicates in a more convenient form. 



IflCS 


.= true 


r 

nci 




la, 


= winp(oii, c[i]) 




= c[i] 


h 


= c[i] A winpifii, Ni) 




= c[i] A Ni 


h 


= Ni 




= Ni 




= Ni A winp(€ij, Pij) 




= N A Pij 


h, 


= Ni A Pij A winp(r)ij, 




= Ni A Py A Qij 




= Ni A /\ m Pij A Qij 




= M A A;, ; ^ A Gy 


I* 


= true 







The predicate defined by the annotation is clearly true in the initial state and, since /„. 
and /„ cannot both be true if i ^ j , it implies the mutual exclusion condition. We now 
attempt to prove the invariance of this annotation using the nonatomic Owicki-Gries 
method. 

Proof of Sequential Correctness — (a) 

We must prove that each operation a leaves J a invariant. 

ncsi\ Since and I' ncs . both equal true, OP4 implies that J„ CSl is left invariant by 

ncsi. 

a, : WINP4 implies that a, leaves J aj invariant. 

: The Assignment Rule and OP1 imply that $ leaves c[i] invariant, and WINP4 
then implies that $ leaves Jp i invariant. 
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Yi'. The Assignment Rule and OP1 imply that y, leaves Ni invariant, so OP4 implies 
that yi leaves J Yi invariant. 

€ij : The Await Rule and OP1 imply that leaves N t invariant, so WINP4 implies 
that €; 7 leaves J fij invariant. 

rjij : 1 . r]ij leaves Ni invariant. 

Proof: By the Await Rule and OP1. 

2. rjij leaves winp(fij, i j) invariant. 

Proof: The Await and Assignment Rules and WIN5 imply that winpifij , i j) 
does not access the set of variables modified by rjij, so OP1 implies that rjij 
leaves winpifij, i <$C j) invariant. 

3. rjij leaves —>(in(f}j) A c[j]) invariant. 

Proof: CTL4 implies that rjij leaves —<in(fiij) invariant. The Await Rule and 
OP1 imply that it leaves -<c[j] invariant. Rule OP2 then implies that 
leaves —<{in(fij) A c[j]) invariant. 

4. rjij leaves invariant. 
Proof: By 2, 3, and OP2. 

\5\ rjij leaves J mj invariant. 

Proof: By 1, 4, OP2, and WINP4. 

csi'. The Section Hypothesis and OP1 imply that csi leaves I cs . invariant, so OP4 
implies that it leaves J cs . invariant. 

p, : By OP4, since I Pi and I' both equal true. 
Proof of Sequential Correctness — (b) 

We must show that for every operation a: if p\, . . . , p m are the predecessors of a, then 
|= at( a) A f\p I' p =^ l a . There are eight choices of a to consider. 

ncsi\ \= (at(ncsi) A /'.) /„„., is trivially true, since I ncs . = true. 

a,-: 1. ^ at(a.i) A winp(<Xi, c[i]) = at(cti) A wlp(cti, c[ij) 
Proof: By WINP1. 
2. \= wlp(oii, c[i]) = true 

Proof: By an elementary wlp calculation. 
\3\ \= (at(cii) A I' ncs .) =► I ai 

Proof: By 1, 2 and the definition of /„, 

Pi : Similar to the proof for a, . 

Yi : \= r^. =>• I Yi follows immediately from the definitions of l'^ and I Yi . 
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e, 7 : 1. |= at(eij) A winp(e ih P fj ) = at(e Vj ) A wlp(€ ih Pi/) 
Proof: By WINP1. 

2. |= Wlp(€ij, ^c[jj) =^ Wlp(€ij , Pij) 

Proof: By WLP2, since the definition of P t j implies |= (->c[y']) =>• P;;. 

3. ^= wlp{€ij , — 'c[jj) = true 

Proof: By an elementary wlp calculation. 

4. \=at(€ij) winp(eij , P^ 
Proof: By 1,2, and 3. 

Proof: By 4 and the definitions of /' and L„ . 

■qtf. 1. \=at(r)ij) Awinp(r)ij, Qij) = at(r)ij) t\wlp(m h Qij) 
Proof: By WINP1. 

2. |= wlp(rnj,i <<C j) wiping, Qij) 
Proof: By WLP2, since |= (;' < j) Qij . 

3. |= wlp(riij, i 4C j) = true 

Proof: By an elementary wlp calculation. 

4. \=at(r)ij) =^ winp(rnj, Qij) 
Proof: By 1, 2, and 3. 

Proof: By 4 and the definitions of and I mj . 

est: \= (at(csj) A f\j_ ti I' nj .) =^ I CSl follows immediately from the definitions of V 
and I CSl . 

PC. |= (at(pi) A 7^ ) =>■ 7 ft obviously holds, since 7 A . equals frwe. 
Proof of Interference Freedom 

For each operation r and each operation a in a different process from r , we must prove 
that r leaves both in(a) A /„ A J, and after(a) A 7^ A 7 T invariant. As observed in 
Section 3.8, to prove that r leaves in(a) A 7 CT A J x invariant, it suffices to prove that it 
leaves either l a A J T or simply I a invariant, and similarly for after(a) A l' a A J T . 

Proof for r = nos*. We begin by proving that ncsk leaves invariant the "primitive" 
predicates, such as P t j , that appear in the annotation. Predicate P t j is a little trickier 
than the rest because it contains a winp formula. Also, since Py and Q,j mention the 
control state of process j, which is changed by ncsj, the case k — j requires special 
consideration. 
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NCI. Operation ncs^ leaves c[i], N,, and Qij invariant, for i ^ k and j ^ k. 
Proof: This follows from the Section Hypothesis and OP1. 

NC2. Operation ncsk leaves P y invariant, for i ^ k and j ^ k. 

Proof: Operation ncsu leaves winp(fij, i j) invariant by the Section Hypoth- 
esis, the Assignment Rule, and WIN5. It leaves -^in(Pj) invariant by CTL4, and 
-<c[j] invariant by the Section Hypothesis and OP1. Rule OP2 then implies that 
ncsk leaves P y invariant. 

NC3. Operation ncsj leaves g y invariant, for i ^ j. 

Proof: Reasoning about control predicates implies 

|= (in(ncsj) V after(ncSj)) A (in(yj) V in(Sj) V in(csj)) = false 

Hence, (in(ncSj) V after(ncsjj) A Q Vj is identically true, so OP4 implies that 
ncsj leaves invariant. 

NC4. Operation ncsj leaves P (J invariant, for ; ^ j. 
Proof: The proof is similar to that of NC3. 

Using these four results, we can prove that ncs^ leaves l a and V a invariant, for each 
operation a in process i, where i ^ k. If I a contains no winp expression, then invariance 
follows easily from NC1-NC4. The proofs for all a containing a winp expression are 
similar to the proof for a — 6y , which is given below. 

€ij\ 1. ncs k leaves P t j invariant. 
Proof: By NC2 and NC4. 

2. ncsk leaves after(eij) =>■ Py invariant. 
Proof: By 1, CTL4, and OP2. 

3. nest commutes with e y -. 

Proof: By the Section Hypothesis, the Await Rule, and OP5. 

4. ncsk leaves winp(eij, P y ) invariant. 

Proof: By 2, 3, WIN3, and the definition of winp. 
\5\ ncsk leaves 7 e invariant. 

Proof: By 4, NCI, and OP2. 
\6\ ncsk leaves V invariant. 





Proof: By 1, NCI, and OP2. 
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Proof for x = at. We begin by proving the invariance results for a* that are the 
analogs of NC1-NC4. The proofs of al-a3 are similar to the proofs of NC1-NC3 
and are omitted. The strict analog of NC4 does not hold, since a, does not leave P y - 
invariant. However, in the annotation, P y always appears conjoined with Ni, so it 
suffices to prove that atj leaves Ni A P y invariant. 

al. Operation at leaves c[i], Ni, and g(/ invariant, for i ^ k and j ^ k. 
a2. Operation a* leaves P y invariant, for i ^ k and j ^ k. 
a 3. Operation a, leaves g y invariant, for ;' ^ j. 
a4. Operation atj leaves iVj A P y invariant, for i ^ j . 

1. |= {in(oij) V after(oij j) A in(fij) = at(fy) 
Proof: By reasoning about the control state. 

2. \=Ni^wlp(Pj,i «j) 

Proof: By elementary reasoning about w//?. 

3. |= (iVi A aff^j) =► winpiPj, i « j) 
Proof: By 2 and WINP1. 

4. |= ((mfayj V after(aj)) A AT,- A in(Pj) A c[j]) =>■ winpifij, i «; j) 
Proof: By 1 and 3. 

5. |= (in(aj ) V after(aj )) A A 7 ,- A P y = (in(aj ) V after(<Xj )) A AT,- 

Proof: By 4 and the definition of P y , since ^ (A A fi) => C implies |= A A 
(fi=^C) = A. (Substitute P y for B =>■ C.) 

6. «j leaves (in(otj) V after(aj)) A A 7 ,- invariant. 
Proof: By a 1 and OP4. 

\j\ ctj leaves A 7 ,- A P y - invariant. 
Proof: By 5, 6, and OP4. 

We can now prove that a* leaves I a and I' a invariant for all the operations a in process 
i, where i ^ k. Only the proofs for a equal to and e y - are given; the rest are similar 
or else follow easily from a l-a4. 

# : |T| at leaves invariant. 
Proof: By a 1 and OP2. 

2. a t leaves a/Cerf y8,J =>• A 7 ,- invariant. 
Proof: By a 1, CTL4, and OP2. 

3. at and $ commute. 

Proof: By the Assignment Rule and OP5. 
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4. a* leaves winp(/3i, Ni) invariant. 

Proof: By 2, 3, WIN3, and the definition of winp. 
\5\ a k leaves 7 ft invariant. 

Proof: By 4, a 1, and OP2. 

€y : We consider separately the two cases j / k and j — k. The proof for j ^ k is as 
follows. 

|T| leaves 7 e '.. invariant. 

Proof: a k leaves Ni invariant by a 1, and it leaves P y - invariant by a2, so OP2 
implies that it leaves N t A P y invariant. 

2. a k leaves after(eij) =>• P y invariant. 
Proof: By a2, CTL4, and OP2. 

3. a k commutes with . 

Proof: By the Assignment and Await Rules (since j ^ k) and OP5. 

4. a k leaves u>inp(ejj , P y ) invariant. 

Proof: By 2, 3, WIN3, and the definition of winp. 
\5\ a k leaves 7 6i; invariant. 
Proof: By 4, a 1, and OP2. 

We now consider the case j — k. 

\\\ aj leaves I' invariant. 
Proof: By a4. 

2. €jj leaves P y - unchanged. 

Proof: By the Await Rule and OP1. 

3. |= win(€ij, Pij V ^after(eij)) = P y V iy/n(e, 7 , -^after(e ij 'j) 
Proof: By 2 and WIN4. 

4. |= winp(€ij, Pij) = Pij V winp(€ij, true) 
Proof: By 3 and the definition of winp. 

5. |= winp{€ij , P^) = P^ V {—•in(ctj) A winp(etj, true)) 

Proof: By 4 and propositional logic, since |= in(oij) =>• —•in(fij) implies 
|= inform =>■ Py. 

6. |= 7 6 , = (Ni A P^ v (-m(cg A . . .) 
Proof: By 5. 

\l\ ctj leaves I €i . invariant. 

Proof: By 6, «4, OP3, and OP2. 
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Proof for r = ft. We begin with the analogs of NC 1-NC4. The analog of NC3 isn't 
valid because ft does not leave gy invariant. Since gy always appears in conjunction 
with Pij, it would suffice to prove that ft leaves P y A gy invariant — but it doesn't. 
However, to prove interference freedom, it suffices to show that ft leaves Jp A P y A g y 
invariant. 

pi. Operation ft leaves c[i], Nj, and gy invariant, for i ^ k and j ^ k. 
Proof: Follows from the Assignment Rule and OP1. 

P2. Operation ft leaves Py invariant, for i ^ k and j ^ k. 

1. ft leaves —i(in(Pj) A c[j]) invariant. 

Proof: ft leaves —•in(Pj) invariant by CTL4 and it leaves —<c[j] invariant by 
the Assignment Rule and OP1, so OP2 implies that it leaves -■(/nfft j A c[j]) 
invariant. 

2. ft leaves winpiPj, i 4C j) invariant. 

The crucial fact that ft leaves winpiPj, i j) invariant cannot be proved. It 
must be assumed as an additional hypothesis. This assumption is discussed later. 

3. ft leaves Py invariant. 
Proof: By 1, 2, and OP2. 

P3. Operation ft leaves J Pj A p ; A g y invariant, for; ^ j . 

1. |= J Pj = (in(Pj) V after(Pj)) A c[j] A winpiPj, Nj) 
Proof: By WINP2 and the definition of J Pj . 

2. |= (in( Pj ) V after( ft )) A Q u = (in(Pj ) V after( ft j) A (-.q/teif ft J V (q/teif ft ) A 
winpiPj, i 4C j))) 

Proof: By WINP2 and propositional logic, since 

|= (in(Pj) V after(Pj)) A (in(yj) V in(Sj) V in(csjj) = after(Pj) 

3. |= (/nfftj V after(Pj)) A c[j] A P 7 A g y = (in(Pj) V after(Pj)) A c[j] A 
winpiPj, i 

Proof: By 2 and propositional logic, using |= after(Pj) =>■ -iin(Pj). 

4. |= A P 7 A g y = A winpiPj, ' « j) 
Proof: By 1, 3, and propositional logic. 

[5] ft leaves Jp A p ; A g, 7 invariant. 

Proof: By 4 and OP2, since the sequential correctness proof showed that 
ft leaves Jp } invariant, and the definition of winp implies that ft leaves 
winpiPj, i j) invariant. 
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/S4. Operation ft leaves P y - invariant. 



1. ft leaves —*in(fij) invariant. 
Proof: By OP3. 

2. ft leaves ->c[j] invariant. 

Proof: By the Assignment Rule and OP1. 

3. ft leaves winp(J3j, i j) invariant. 
Proof: By the definition of win. 

\4\ ft leaves P y invariant. 

Proof: By 1, 2, 3, OP2, and the definition of P ; . 

We must now prove the interference-freedom condition for r — fit and all a in process 
i, with i ^ k. For most operations <r, the proof is essentially the same as for r = a*. 
When a — e,y, the proof for r = ft is simpler than the proof for r = a*, since ft 
commutes with e y - and a, does not. However, the proof for a — raj is is trickier 
because ft does not commute with r^j . We consider the interference-freedom proofs 
for t = ft only when a equals ft and , with z ^ k. 

ft : We must prove that ft leaves and invariant. The invariance of follows 
immediately from ft 1 . However, to prove that ft leaves / ft invariant, we must 
show that it leaves winpifii, num[i] > 0) invariant. This cannot be done. We 
must assume that ft leaves winp(fii, num[i] > 0) invariant. This assumption 
is discussed later. 

r)ij : We must prove that ft leaves Jp j A I mj and A l' n .. invariant. The proof when 
k ^ j is similar to the proof for r = a* and <r = e y - given above. We consider 
only the case when k — j . 

|T| ft leaves 7^. A V invariant. 
Proof: By >81, ft3, and OP2. 

2. »jy leaves Q t j unchanged. 
Proof: By the Await Rule and OP1. 

3. \=winp(r)ij, Qij) = Qij V winpfaj , true) 

Proof: By 2 and WIN4, which imply that win(r\ij, g y - V -^after(rnj)) equals 
Qij v win{r)ij,^after(r)ij)). 

4. |= winp{r)ij, Qij) = Qij V (rinfPj) A winpimj , true)) 

Proof: By 3 and predicate calculus reasoning, since |= /nfftj =>• -'(in(yj) V 
z'nCSjJ V in(csj)), so |= /nfftj =>• 2,y . 

5. |= J Pj A /, y = (J fSj A AT; A Py A Qij) V (-/nfftj A . . .) 
Proof: By 4 and the definition of . 
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\6\ Pj leaves Jp A /,, invariant. 

Proof: By 5 and OP2, since p 1 1 implies that it leaves Ni invariant, y84 implies 
that it leaves A P y A <2 y invariant, and OP3 implies that it leaves —>in(Pj)A. . . 
invariant. 

Proof for r = y k . As usual, we begin with the analogs of NC1-NC4. The statements 
and proofs of y 1 and y2 are similar to the ones for NCI and NC2 and are omitted. 

y3. Operation yj leaves Qij invariant, for; ^ j. 

Proof: Follows from OP4, the Assignment Rule, OP1 , and OP2, since |= afterf yj) =>■ 
in(Sj) implies that (in(yj) V after(yj)) A gy equals (in(yj) V after(yj)) A (;' j). 

y4. Operation y- 3 leaves P i3 invariant. 

Proof: By OP4, since |= (in(yj) V after(y 3 J) =>• -*in(Pj) implies that (in(y 3 ) V 
after(yj)) A P y equals z'nfyjj V after(y 3 ). 

The proof of the individual interference conditions for r = are similar to the proofs 
for t = ctfc and are omitted. 

Proof for r = e k i (k ^ /). The proof begins, as usual, by stating and proving el-e4, 
the analogs of NC1-NC4. Their proofs are essentially the same as the proofs of y l-y4. 
The interference-freedom conditions follow easily from el-e4, WIN3, and OP2, using 
the Assignment and Await Rules and WIN5 to show that e« commutes with a,-, e y - , 
and for ;' ^ fc. 

Proofs for r = r\ki (k ^ /) and r = cs^. These proofs are similar to the proofs for 
eu and nest, respectively, and are omitted. 

Proof for r — p k . This proof is similar to, but simpler than, the proof for /J^ . Like 
that proof, it requires two additional assumptions — namely, we must assume that p k 
leaves winpify, i <§C j) and winp(p t , num[i] > 0) invariant, for i ^ k and j ^ k. 

4.2.2 Correcting the Proof 

The proof above relied upon two extra assumptions: 

• Pk and p k leave winpifii, num[i] > 0) invariant, for k / ;'. 

• Pk and pk leave winpify, i j) invariant, for k ^ ;' and k / j. 

The first assumption is satisfied if $ always sets num [i] greater than 0, regardless of how 
the value of num[k] changes while executing the operation. One can devise a "legal" 
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implementation of $ that does not satisfy this assumption, but such an implementation 
would be contrived. It seems quite reasonable to incorporate the assumption into the 
definition of statement ft . 

For the second assumption to be satisfied, modifying the value of num[k] must leave 
winp(Pj, i 4C j) invariant. However, there is no reason why it should. Here is a 
perfectly reasonable implementation of ft , where the variables tji are local to process 
j- 

cobeginD/^- filji: tji :=num[l] coend; 
P2j: num[j] := 1 + maxffy-/ : / ^ j] 

Consider a state s in which all the tji equal 0, all the num[l] equal 0 except num[k] — 
num[i] > 1, and control is at ft^ and after filji . (It is possible to reach such a state in 
a normal execution of the bakery algorithm.) Completing the execution of ft starting 
in state s will set num[j] to 1 + num[k], which equals 1 + num[i], making i <C j true. 
Therefore, s \= winp{jij, i <^ j) is true. However, if the state is changed by setting 
num[k] to 0, completing the execution of ft will set num[j] to 1, making i <$C j false. 
Hence executing p k makes winpify , i <C j) false, so this predicate is not left invariant 
by pk. Moreover, since ft could temporarily change num[k] from a nonzero to a zero 
value, ft need not leave winpify, i j) invariant either. 

We can fix the proof by replacing winp(fij, i 4C j) with a predicate Ry having the 
following properties. 

(i) Rij is left invariant by ft . 

(ii) |= (after(Pj) A R^) =► / « j. 

(iii) |= (at( ft ) A num[i] > 0) =>■ R^. 

(iv) does not access any set of variables that contains neither num[i], nornwm[j], 
nor any variable local to ft . 

We leave it to the reader to check that if R^ satisfies these properties, then the invariance 
proof above works with R^ substituted for winpifij, i j) in the definition of Py . 
(Perhaps the most difficult part of this proof is verifying /33, which is done by using 
property (ii) to show that |= A P t j A g, 7 = (Jp ] A Rjj) V (after(f)j) A ...).) We 
also leave it to the reader to check that, for the implementation of ft given above, we 
can define R tj to be 

[(in(piji) V after(pijj)) =>• winp(filji, tji — num[i] > 0)] 
A [(in(p2j) v after(p2j)) =>• winp(fi2j,i « j)] 

thereby proving that the algorithm is correct with this implementation of ft . (Property 
(i) is proved by applying the nonatomic Owicki-Gries method to the one-process 
program ft.) 
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The following is an example of a valid implementation of for which there is no such 
predicate R t j , and for which the bakery algorithm is incorrect. 

[num[j] := 0 }; 

K -=j); 

t or kj := 1 to n do (if num[kj] > num[nij] then mj :=kj); 
(num[j] := 1 + num[nij]} 

There is nothing in Figure 3 to prohibit such an implementation of statement ; it 
would be a fine implementation if appeared in a sequential program. We leave it 
to the reader to construct a scenario demonstrating that the bakery algorithm does not 
satisfy the mutual exclusion property with this implementation of . 

4.3 Another Example 

Thus far, we have used win to reason about statements with an unspecified grain 
of atomicity. In our final example, we use sin to replace behavioral reasoning with 
assertional reasoning. The example may seem contrived, but it is abstracted from the 
part of the minimum spanning tree algorithm of Gallager et al. [6] that computes the 
minimum-weight external edge of a fragment. For this example, we just sketch the 
programs and proofs, omitting details. 

Consider a tree of processes, each one communicating with its parent and its children 
by sending messages. Each node p has a value val[p], and the goal of the algorithm 
is for the root process, denoted by r, to compute the minimum of all these values. 
The algorithm is obvious — every process finds the minimum of its value and that of 
its descendants, and reports that value to its parent. Each process p maintains three 
variables: 

Q[p]: a queue of received messages. 

mini[p]: the minimum of val[p] and the values reported by p's children. 
cnt[p\. the number of children of p who have not yet reported 

For simplicity, assume that another process sends a message to process p by simply 
inserting the message in Q[p]. All queues are initially empty except for Q[r], which 
contains afind message. The initial values of the other variables are unspecified. Each 
process p executes the following two actions. 

find(p): If there is afind message in Q[p], then remove it from Q[p] and set mini[p] 
to val[p]. Set cnt[p] to the number of children p has, and add afind message to 
every child's queue. If p has no children and p ^ r, then add a report {yal[p}) 
message to the queue of p's parent. 
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receive(p): If there is a report{v) message in Q[p], then remove it from Q[p], set 
mini[p] to the minimum of itself and v, and decrease cnt[p] by one. If this makes 
cnt[p] zero and p ^ r, then add a report(mini[p]) message to the queue of p's 
parent. 

The algorithm terminates when cnt[r] — 0 and Q[r] is empty, at which time mini[r] 
is the result. We wish to prove the partial correctness property |= P =>■ □ Q for this 
algorithm, where P asserts the initial condition on the queues and Q asserts that if the 
termination condition holds then mini[r] has the correct value. 

Define a process to be active if there is a report message in its queue or any message 
in the queue of any descendant, and to be, finished if it is not active and there is no find 
message in its queue or in the queue of any ancestor. Let / be the predicate asserting 
that for every process p: 

1. If there is a find message in Q[p], then (i) it is the only message in Q[p] and 
(ii) the queue of every descendant of p is empty. 

2. If p is active, then (i) cnt[p] equals the number of unfinished descendants of p 
plus the number of report messages in Q[p], and (ii) the minimum of mini[p] 
and all v for which there is a reportiv) message in Q[p] equals the minimum of 
all val[p'] with p' equal to p or a finished descendant of p. 

3. If p is finished, then mini[p] is the minimum of all val[p'] for p' equal to p or a 
descendant of p. 

The reader can check that |= P =>• /, |= / =>■ Q, and / is left invariant by every 
program action, proving that |= P =>• □ Q. 

Thus far, our example has been a simple exercise in assertional reasoning. We now 
complicate matters by allowing the tree of processes to grow dynamically. We assume 
a larger collection of processes, only some of which are initially in the process tree, 
and add a new action addchild(p, q) that makes process q a child of process p. This 
action may be executed only when the following conditions hold: q is not the parent 
or child of any process, Q[q] is empty, and val[q] is greater than the minimum of all 
val[p'] for processes p' currently in the tree. 

The following simple operational argument shows that the modified algorithm, with the 
addchild actions, satisfies the same correctness property P =>■ OQ. If an addchild(p, q) 
action is executed before the find(p) action, then the effect is the same as if q were part 
of the original process tree. On the other hand, if the action is executed after the find(p) 
action, then the effect is the same as if q were added to the process tree after the algorithm 
had terminated. Hence, we may pretend that each addchild action occurs either before 
or after the algorithm is executed. It is clear that executing an addchild(p, q) action 
at the beginning does not change P, and, since the action is executed only if val[q] is 
greater than the minimum value among existing tree processes, executing it at the end 
does not change Q. Hence, the modified algorithm satisfies P =>■ □ Q. 
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Although the modified algorithm satisfies the same partial correctness property as the 
original algorithm, a different proof is required because the modified algorithm does 
not leave / invariant. For example, an addchild(p , q) action can make condition 3 of 
/ false. One can find a new invariant for the modified algorithm, but it would be nice 
to reason directly from the correctness of the original algorithm, as in the behavioral 
argument. 

Let us write each addchild(p, q) action as the union of the two actions preadd(p, q) 
and postadd(p, q), where a pair (s, t) is in preadd(p, q) if process p is neither active 
nor finished in state s, otherwise it is in postadd(p, q). (Formally, we modify the set 
n of actions but leave the union of all actions unchanged, so we obtain an equivalent 
program.) The reader can check that every preadd action leaves / invariant; it is the 
postadd actions that may falsify /. 

Let a denote the set of all postadd actions. We show that sin(a, I) is the invariant 
that proves the correctness of the modified algorithm. To do this, we must prove 
|= P =>• sin(a, I), \= sin (a, I) =>■ Q, and the invariance of sin (a, I). 

As we observed above, every addchild action leaves P and Q invariant, so every 
action of a does also. Hence, |= sin (a, P) = P and |= sin(a, Q) = Q. By SIN2, 
|= P =>• sin {a, I) and |= sin {a, I) =>■ Q then follow from |= P =>• / and |= / =>■ Q. 

Finally, we show that sin {a, I) is an invariant. It is obviously left invariant by any 
action in a, so we must show that it is left invariant by every other action. By SIN3, 
it suffices to show that every action not in a left commutes with a postadd(p, q) 
action. It is clear that the action postadd(p, q) commutes with every action not in 
a except for the following: preadd(p', p), preadd(q, q'), find(p), and find(g). We 
prove left commutativity by showing that, if § is any one of these four actions, then 
postadd(p, q) § is the empty action. (Recall that § left commutes with fi iff ^ c § fx.) 

preadd (p' , q): The composition postadd{p, q)preadd(p' , p) is empty because an 
addchild(p, q) action can be executed only if p is already in the process tree, in 
which case the preadd(p', p) action cannot be executed. 

preadd(q, q'): postadd(p, q)preadd{q, q') is empty because the composition 
addchild{p, q)addchild(q, q') can be nonempty only if the two addchild ac- 
tions are either both postadd or both preadd actions. 

find(p): postadd(p, q)find(p) is empty because an addchild(p, q) action cannot be a 
postadd action if Q[p] contains a find message. 

find(q): postadd(p, q)find{q) is empty because an addchild(p, q) action can occur 
only if Q[q] is empty. 

This completes the proof of invariance of sin (a, I). 
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5 Discussion 



Although we have provided rigorous, step-by-step proofs in our first two examples, we 
have not tried to be completely formal. We did not give the rules for reasoning about 
control predicates needed to prove such obvious relations as |= (in(eji ) V after(eji )) =>• 
~'in(f3j) for the bakery algorithm. We believe that if a formalism is to be useful, it 
must be possible to use it rigorously but informally, without having to prove obvious 
properties. Experience with the atomic Owicki-Gries method indicates that it can 
be used in this way, and we believe that the same is true of the nonatomic version 
employing win and sin. 

In judging the utility of win and sin, it is instructive to consider why previous correctness 
proofs of the bakery algorithm did not discover its hidden assumptions. The original 
proof in [9] is an informal behavioral one, so it is not surprising that it is incorrect. The 
proof in [ 1 1 ] utilizes a set of axioms for reasoning about behaviors involving nonatomic 
operations. While the use of axioms gives an appearance of extreme rigor, the method 
ultimately reduces to the unstructured, informal reasoning of ordinary mathematics. 
The undetected assumptions in the bakery algorithm provide one more example of the 
unreliability of such reasoning. 

A rigorous Owicki-Gries method proof is given in [10]. However, since the original 
Owicki-Gries method requires that all atomic operations be specified, it was necessary to 
translate the bakery algorithm into one with explicit atomic operations. The translation 
effectively specified a particular class of implementations of the algorithm — a class that 
includes only implementations satisfying the hidden assumptions. This proof illustrates 
the danger in trying to replace one program with an equivalent one, if the equivalence 
has not been proved formally. Without a formal justification of the single-action rule, 
even its use should be regarded with suspicion. 

The bakery algorithm's two hidden assumptions are that sets num [i] to be (i) positive 
and (ii) greater than num[j], even if it is executed while the value of num[k] is being 
changed, for k ^ i, j . Although the algorithm has been rather widely studied, we know 
of only one other person who independently discovered assumption (ii). We discovered 
assumption (i) only when expanding an earlier version of our win proof to its present, 
more rigorous, form. We knew about assumption (ii) before writing this article, but we 
are confident that attempting the proof would have led to its discovery anyway. 

Assertional methods, including the Owicki-Gries method, reduce a proof of correctness 
to a collection of small steps — each of which involves reasoning about a single opera- 
tion. Previous assertional methods require that each operation be atomic. The win and 
sin operators permit the generalization of these methods to allow nonatomic operations. 
However, much work remains in assessing the practical utility of these operators and 
developing their formal theory. We believe that our rules for reasoning about win pro- 
vide a relatively complete method for proving P =>• □ Q formulas for simple cobegin 
programs, where the semantics of nonatomic operations are defined by the Assignment 
and Await Rules, but a detailed proof of this result has not yet been written. Moreover, 
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we expect a formal system for reasoning about nonatomic operations to be much more 
sensitive to the semantics of the particular language constructs than one for reasoning 
about atomic operations, so no far-reaching conclusions can be drawn from a single 
completeness result. In particular, nonatomic communication primitives have yet to be 
studied. 
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